There are no GDPR quick wins

May 23, 2018

Data protection in the digital world is an issue that just never stops, writes Gregg Petersen, regional vice-president at Veeam.

At the time of writing, the Cambridge Analytica news is just a few weeks old. While the full extent of the fiasco remains to be seen, this much is clear: the UK data marketing firm has been harvesting the data of millions of Facebook users in the US, obtained via a third-party app on the social networking site, and using it to create micro-targeted content and influence audience behaviour.

The fact that the company mines data to influence behaviour and deliver results for its clients is itself no secret – it says as much on Cambridge Analytica’s own website homepage. But it’s the talk of honey traps and fake news that’s scandalous. And, of course, that the way in which the company was able to obtain and use the data from Facebook constitutes a breach of data protection. So much so that Facebook CEO Mark Zuckerberg has apologised for what he calls a ‘breach of trust’, and admits that Facebook lost sight of the data that they have a responsibility to protect.

It’s perhaps the starkest reminder yet that we live in an age when the drive to make money from data is increasingly at odds with the need to protect that data. Which is why the GDPR couldn’t be coming at a better time for all of us, as consumers. It will give us ownership of our own personal data and hold businesses to account over the way they gather, store and use personal information. Crucially, EU customers will “have the freedom to opt in, rather than the burden of opting out”.

From 25 May 2018 onwards, businesses found to be in breach of the GDPR will face big fines. Which is not just a case of scaremongering; we fully expect that some will be made examples of, with fines of up to €20-million for serious breaches or non-compliance, or 4% of their annual turnover – whichever is higher.

So, are businesses ready for the GDPR?

Despite the looming threat of penalties for non-compliance, a survey by international law firm Paul Hastings found that many top UK and US businesses are massively overestimating their GDPR readiness. As many as “94% of FTSE 350 and 98% of Fortune 500 companies believe they’re on track to comply with the GDPR by 25 May 2018”. And yet, the same report found that only 39% of UK and 47% of US businesses have set up an internal GDPR taskforce.

Those numbers don’t really add up, especially when the requirements of the GDPR are significant and complex to address. There’s no-end of inaccurate “quick win” advice on the web, aimed at businesses looking for shortcuts on the road to compliance.

In most of them, step one is “assign responsibility” – so if businesses aren’t even doing that, we can only assume they’re far from ready.

Other steps include things like “know how you’re affected” and “agree on processes”, which are non-committal at best.

Because the fact is: there’s no such thing as quick wins when it comes to the GDPR. In many places, compliance will depend on a full-scale overhaul of the way businesses collect, store and use data on EU citizens, which includes data on their own employees.

In our case at Veeam, GDPR readiness has meant updating systems and workflows in way that will help us to know, manage and protect the data we handle more effectively, while making sure we’ve also implemented processes for the documentation, diligence and ongoing improvement of our organisation’s approach to data protection – all of which has been no mean feat.

Of course, technology will be an important part of the compliance mix for any business, but it’s definitely not as easy as throwing tech solutions at the wall and seeing what sticks. Successful adherence to the new regulations will depend on company-wide behavioural and procedural change, and there are no quick wins that can guarantee that.

GDPR’s commercial advantage

It’s worth remembering that, while the road to GDPR compliance is by no means straightforward, a company-wide effort to improving data protection also brings with it a unique commercial opportunity for businesses that do it well – not least the chance to stay competitive and make your business fit for the future.

In a post-GDPR world, companies will have to be much more transparent about why they are collecting data and what they’re using it for – i.e. if they’re mining it from third-party apps, then using it to create behavioural profiles and influence political events (ahem, Cambridge Analytica). But more than that, a business’ reputation and revenue will come to depend on that transparency. Their ability to harness the power of data for commercial gain will first rest on being a reputable brand that has built genuine consumer trust. The balance of power is fundamentally changed.

Businesses praying for a shortcut to compliance face an uphill climb, but those who capitalise on the opportunity that GDPR presents and have already started to take a proactive approach to data protection will be the real winners in the end.